The Security of Security Vendors

by Matt Klassen on March 5, 2012

Security vendors gather annually at the RSA conference in San Francisco to discuss their reason for being: keeping us safe from brazen hackers and anonymous cyber-thieves. Every year these security vendors pat each other on the back and tell the world that everything is copacetic, that everything is safe, and every year, usually when our annual contract with our chosen vendor comes due, we tend to believe them.

But dealing in protection is a difficult game, particuarly when the vendors can’t even protect their own systems from cyber-attacks. In fact, the current security vendor market often strikes me as the local mob, offering their ‘protection’ services to the local shop owners at a price. The only problem here, however, is the shop owner realizing afterwards that there’s a bigger, stronger mob in town…making the promised protection absolutely worthless.

More to the point, can we really trust the security vendors to tell us the truth regarding the current cyber-security situation? It would certainly be in their best interests not to, as who would pay for protection services from companies who really can’t protect anything?

With several high profile hacker attackson key security vendors made public this past year—often by the hackers themselves—executive chairman of security company RSA Art Coviello at least had the sense to add an air of humility to his keynote speech this past weekend.

He acknowledged that the current security models are simply inadequate, saying that, “Never have so many companies been under attack, including RSA.” Of course he concluded his speech with the requisite bravado needed to assuage industry and public concerns, concluding that, “Together we can learn from these experiences and emerge from this hell, smarter and stronger than we were before.”

However, if history has shown us anything, it’s that Coviello’s machismois misplaced, blind to the reality that to date the security vendor industry has been forced to play catch-up, always a step behind the cyber-attackers. In fact, while the current security industry is still coming to grips with the extant threats on business and private users, hackers have already devised new ways to steal our information, malicious malware that our beloved security vendors simply have no answer for.

With current security models inadequate to respond to hackers, with security vendors themselves subject to breeches, and the entire security industry unable to truly keep us safe, one might wonder why anyone in their right mind would depend on this protection racket for their security needs, and the answer to that is twofold: fear and secrecy.

First, listening to speeches and keynote addresses at a security conference is like listening to Home Land Security talk about terrorism; threats are persistent, ever-present, and unstoppable, and regardless of the real threat level, security vendors want you to be scared enough to pay for their services. Second, you better believe that the recent public hacks on security firms like RSA are only the tip of the iceberg, with vendors motivated by profits to keep their own vulnerabilities quiet, although the reality, concisely summarized by Andrew Brandt, director of threat research at Solera Networks Research Labs, is that “security through obscurity provides no security at all.”

Now don’t get me wrong, I’m not saying dump your security vendor because they’re totally pointless–current security protocols do protect us from a great deal of annoying spyware and malware–but instead that the security vendor industry as a whole seems to be living in a fantasy land, unable to protect itself and unwilling to realize that reactive approaches to a motivated and highly skilled hacker community are simply ineffective.